Table of Contents

Introduction xxiii

Chapter 1 Introduction to Email Security 1

Overview of Cisco IronPort Email Security Appliance (ESA) 1

AsyncOS 3

Security Management Appliances (SMA) 3

History of AsyncOS Versions 4

Software Features 5

Email Security Landscape 6

Email Spam 6

Viruses and Malware 7

Protecting Intellectual Property and Preventing Data Loss 8

Other Email Security Threats 9

Simple Mail Transfer Protocol (SMTP) 9

SMTP Commands 14

ESMTP Service Extensions 15

SMTP Message Headers and Body 16

Envelope Sender and Recipients 17

Transmitting Binary Data 18

MIME Types 20

Character Sets 21

Domain Name Service (DNS) and DNS MX Records in IPv4 and IPv6 22

Message Transfer Agents (MTA) 23

Abuse of SMTP 24

Relaying Mail and Open Relays 24

Bounces, Bounce Storms, and Misdirected Bounces 25

Directory Harvest Attacks 26

Summary 27

Chapter 2 ESA Product Basics 29

Hardware Overview 29

2U Enterprise Models 30

1U Enterprise Models 31

Selecting a Model 31

Basic Setup via the WUI System Setup Wizard 31

Connecting to the ESA for the First Time 31

Running the System Setup Wizard 32

Reconnecting to the WUI 38

LDAP Wizard and Next Steps 39

Examining the Basic Configuration 41

Next Steps 41

Setup Summary 42

Networking Deployment Models 43

Interfaces, Routing, and Virtual Gateways 43

Single Versus Multinetwork Deployment 47

Routing on Multinetwork Deployments 48

DNS Concerns 49

Firewall Rules 50

Securing Network Interfaces 51

Security Filtering Features 52

SenderBase and Reputation Filters 53

IronPort Anti-Spam 54

Antivirus Features 55

Summary 58

Chapter 3 ESA Email Pipeline 59

ESA Pipeline 59

Listeners 61

Host Access Table (HAT) and Reputation Filters 63

Rate Limiting with Mail Flow Policies 65

DNS and Envelope Checks 67

Sender Authentication 67

Recipient Access Table and LDAP Accept 67

Recipient and Sender Manipulation 70

Default Domain, Domain Map, and Aliases 70

Masquerading 71

LDAP Operations 72

LDAP Accept 72

LDAP Routing and Masquerading 73

Groups 73

Work Queue and Filtering Engines 73

Work Queue Overview 74

Incoming and Outgoing Mail Policies 74

Message Filters 75

Anti-Spam Engine 75

Antivirus Engines 76

Content Filtering 77

Virus Outbreak Filters 78

DLP and Encryption 78

Delivery of Messages 79

Selecting the Delivery Interface (Virtual Gateways) 80

Destination Controls 81

Global Unsubscribe 81

SMTP Routes 82

Selecting Bounce Profiles 83

Handling Delivery Errors with Bounce Profiles 84

Final Disposition 85

Summary 85

Chapter 4 ESA Web User Interface 87

Overview 87

Connecting to the WUI 87

WUI Tour 88

Monitor Menu 88

Overview 89

Incoming Mail 89

Outgoing Destinations 90

Outgoing Senders 90

Delivery Status 90

Internal Users 90

DLP Incidents 91

Content Filters 91

Outbreak Filters 91

Virus Types 92

TLS Connections 92

System Capacity 92

System Status 92

Scheduled Reports 93

Archived Reports 93

Quarantines 93

Message Tracking 94

Mail Policies Menu 94

Incoming Mail Policies 95

Incoming Content Filters 95

Outgoing Mail Policies 96

Outgoing Content Filters 96

Host Access Table (HAT) Overview 96

Mail Flow Policies 97

Exception Table 97

Recipient Access Table (RAT) 97

Destination Controls 97

Bounce Verification 98

DLP Policy Manager 98

Domain Profiles 99

Signing Keys 99

Text Resources 99

Dictionaries 99

Security Services Menu 100

Anti-Spam 100

Antivirus 101

RSA Email DLP 101

IronPort Email Encryption 101

IronPort Image Analysis 101

Outbreak Filters 102

SenderBase 102

Reporting 103

Message Tracking 103

External Spam Quarantine 103

Service Updates 103

Network Menu 104

IP Interfaces 105

Listeners 105

SMTP Routes 105

DNS 106

Routing 106

SMTP Call-Ahead 106

Bounce Profiles 106

SMTP Authentication 107

Incoming Relays 107

Certificates 107

System Administration Menu 108

Trace Tool 108

Alerts 109

LDAP 109

Log Subscriptions 109

Return Addresses 110

Users 110

User Roles 111

Network Access 111

Time Zone and Time Settings 111

Configuration File 112

Feature Keys and Feature Key Settings 112

Shutdown/Suspend 112

System Upgrade 113

System Setup Wizard 113

Next Steps 114

Options Menu 114

Active Sessions 115

Change Password 115

Log Out 115

Help and Support Menu 115

Online Help 116

Support Portal 116

New in This Release 116

Open a Support Case 117

Remote Access 117

Packet Capture 118

WUI with Centralized Management 118

Selecting Cluster Mode 119

Modify CM Options in the WUI 121

Modifying Cluster Settings 121

Other WUI Features 122

Variable WUI Appearance 122

Committing Changes 123

Summary 123

Chapter 5 Command-Line Interface 125

Overview of the ESA Command-Line Interface 125

Using SSH or Telnet to Access the CLI 125

PuTTY on Microsoft Windows 127

Simple CLI Examples 129

Getting Help 132

Committing Configuration Changes 133

Keeping the ESA CLI Secure 134

SSH Options on the ESA 135

Creating and Using SSH Keys for Authentication 136

Login Banners 140

Restricting Access to SSH 140

ESA Setup Using the CLI 141

Basics of Setup 142

Next Setup Steps 142

Commands in Depth 146

Troubleshooting Example 146

Status and Performance Commands 146

Command Listing by Functional Area 156

Mail Delivery Troubleshooting 156

Network Troubleshooting 156

Controlling Services 157

Performance and Statistics 158

Logging and Log Searches 159

Queue Management and Viewing 160

Configuration File Management 161

AsyncOS Version Management 162

Configuration Testing Commands 163

Support Related Commands 163

General Administration Commands 165

Miscellaneous Commands 166

Configuration Listing by Functional Area 167

Network Setup 167

Listeners 168

Mail Routing and Delivery 175

Policy and Filtering 176

Managing Users and Alerts 177

Configuring Global Engine and Services Options 177

CLI-Only Tables 179

Configuration for External Communication 179

Miscellaneous 180

Batch Commands 181

Hidden/Undocumented Commands 183

Summary 186

Chapter 6 Additional Management Services 187

The Need for Additional Protocol Support 187

Simple Network Management Protocol (SNMP) 188

Enabling SNMP 188

SNMP Security 189

Enterprise MIBs 189

Other MIBs 190

Monitoring Recommendations 191

Working with the ESA Filesystem 193

ESA Logging 196

ESA Subsystem Logs 196

Administrative and Auditing Logs 197

Email Activity Logs 198

Debugging Logs 199

Archive Logs 201

Creating a Log Subscription 202

Logging Recommendations 202

Transferring Logs for Permanent Storage 203

HTTP to the ESA 204

FTP to the ESA 204

FTP to a Remote Server 204

SCP to a Remote Server 205

Syslog Transfer 205

Understanding IronPort Text Mail Logs 206

Message Events 206

Lifecycle of a Message in the Log 207

Tracing Message History 209

Parsing Message Events 211

A Practical Example of Log Parsing 212

Using Custom Log Entries 215

Summary 217

Chapter 7 Directories and Policies 219

Directory Integration 219

The Need for Directory Integration 220

Security Concerns 220

Brief LDAP Overview 221

LDAP Setup on ESA 223

Advanced Profile Settings 225

Basic Query Types 226

Recipient Validation with LDAP 227

Recipient Routing with LDAP 229

Sender Masquerading 230

Group Queries 231

Authentication Queries 233

AD Specifics 233

Testing LDAP Queries 234

Advanced LDAP Queries 234

Troubleshooting LDAP 239

Incoming and Outgoing Mail Policies 241

Group-Based Policies 241

Group Matches in Filters 241

Other LDAP Techniques 242

Using Group Queries for Routing 242

Per-Recipient Routing with AD and Exchange 244

Using Group Queries for Recipient and Sender Validation 244

Summary 245

Chapter 8 Security Filtering 247

Overview 247

The Criminal Ecosystem 248

Reputation Filters and SenderBase Reputation Scores 248

Enabling Reputation Filters 249

Reputation Scores 250

Connection Actions 250

HAT Policy Recommendations 250

IronPort Anti-Spam (IPAS) 251

Enabling IPAS 252

IPAS Verdicts 253

IPAS Actions 254

Content Filters and IPAS 255

Recommended Anti-Spam Settings 257

Spam Thresholds 257

Actions for the Bold 258

Actions for the Middle-of-the-Road 258

Actions for the Conservative 258

Outgoing Anti-Spam Scanning 259

Sophos and McAfee Antivirus (AV) 259

Enabling AV 260

AV Verdicts 262

AV Actions 263

AV Notifications 263

Content Filters and AV 264

IronPort Outbreak Filters (OF) 266

Enabling OF 267

OF Verdicts 267

OF Actions 268

Message Modification 269

Content Filters and OF 270

Recommended AV Settings 270

Incoming AV Recommendations 271

Outgoing AV Recommendations 272

Using Content Filters for Security 273

Attachment Conditions and Actions 273

Filtering Bad Senders 276

Filtering Subject or Body 277

Summary 278

Chapter 9 Automating Tasks 279

Administering ESA from Outside Servers 279

CLI Automation Examples 280

SSH Clients 281

Expect 281

Perl 283

CLI Automation from Microsoft Windows Servers 285

WUI Automation Examples 287

Polling Data from the ESA 287

Retrieving XML Data Pages 287

Using XML Export for Monitoring 290

Pushing Data to the ESA and Making Configuration Changes 292

Changing Configuration Settings Using the CLI 293

Committing Changes Using the CLI 295

Changing Configuration Settings Using the WUI 296

Committing Changes Using the WUI 298

Retrieving Reporting Data from the WUI 298

Data Export URLs 299

Other Data Export Topics 302

Example Script 305

Summary 308

Chapter 10 Configuration Files 309

ESA and the XML Configuration Format 309

Configuration File Structure 310

Importing and Exporting Configuration Files 313

Exporting 314

Importing 315

Editing Configuration Files 316

Duplicating a Configuration 317

Partial Configuration Files 318

Automating Configuration File Backup 320

Configuration Backup via CLI 320

Configuration Backup via WUI 321

Configuration Files in Centralized Management Clusters 323

Summary 325

Chapter 11 Message and Content Filters 327

Filtering Email Messages with Custom Rules 327

Message Filters Versus Content Filters 328

Processing Order 331

Enabling Filters 332

Combinatorial Logic 332

Scope of Message Filters 333

Handling Multirecipient Messages 334

Availability of Conditions and Actions 334

Filter Conditions 334

Conditions That Test Message Data 335

Operating on Message Metadata 336

Attachment Conditions 337

System State Conditions 339

Miscellaneous Filter Conditions 340

Filter Actions 340

Changing Message Data 340

Altering Message Body 341

Affecting Message Delivery 343

Altering Message Processing 344

Miscellaneous Filter Actions 344

Action Variables 345

Regular Expressions in Filters 347

Dictionaries 350

Notification Templates 351

Smart Identifiers 352

Using Smart Identifiers 353

Smart Identifier Best Practices 354

Content Filter and Mail Policy Interaction 354

Filter Performance Considerations 359

Improving Filter Performance 360

Filter Recipes 362

Dropping Messages 362

Basic Message Attribute Filters 363

Body and Attachment Scanning 364

Complex Combinatorial Logic with Content Filters 366

Routing Messages Using Filters 367

Integration with External SMTP Systems 368

Cul-de-Sac Architecture 369

Inline Architecture 371

Delivering to Multiple External Hosts 371

Interacting with Security Filters 373

Reinjection of Messages 375

Summary 376

Chapter 12 Advanced Networking 377

ESA with Multiple IP Interfaces 377

Multihomed Deployments 378

Virtual Gateways 380

Adding New Interfaces and Groups 381

Using Virtual Gateways for Email Delivery 382

Virtual Gateways and Listeners 385

Multiple Listeners 386

Separating Incoming and Outgoing Mail 386

Multiple Outgoing Mail Listeners 386

Separate Public MX from Submission 387

ESA and Virtual LANs 388

Other Advanced Configurations 390

Static Routing 390

Transport Layer Security 392

Using and Enforcing TLS When Delivering Email 393

Using and Enforcing TLS When Receiving Email 396

Certificate Validation 397

Managing Certificates 398

Adding Certificates to the ESA 399

TLS Cipher and Security Options 402

Split DNS 405

Load Balancers and Direct Server Return (DSR) 408

Summary 411

Chapter 13 Multiple Device Deployments 413

General Deployment Guidelines 413

Email Availability with Multiple ESAs 415

Load-Balancing Strategies 415

SMTP MX Records 415

Domains Without MX Records 416

Incoming and Outgoing Mail with MX Records 417

Single Location with Equal MX Priorities 417

Multiple Locations with Equal MX Priorities 417

Unequal MX Priorities 418

Disaster Recovery (DR) Sites 419

Third-Party DR Services 419

Limitations of MX Records 420

Dedicated Load Balancers 422

Load Balancers for Inbound Mail 422

Load Balancers for Outgoing Mail 423

Multitier Architectures 424

Two-Tiered Architectures 425

Three-Tiered Architectures 426

Functional Grouping 427

Large Message Handling 429

Architectures with Mixed MTA Products 431

Integration with External Systems 431

External Email Encryption 432

External Data Loss Prevention (DLP) Servers 433

Email Archiving Servers 435

Archiving Inline or Cul-de-Sac 435

Archiving Through BCC 436

Other Archiving Ideas 437

Introducing, Replacing, or Upgrading ESA in Production 439

Adding the First ESA to the Environment 439

Replacing an ESA for Upgrade 440

Management of Multiple Appliances 443

Centralized Management Overview 443

Creating a CM Cluster 444

Joining an Existing CM Cluster 444

Creating and Managing CM Groups 446

Using CM in the WUI 450

Using CM in the CLI 453

Centralized Management Limitations and Recommendations 457

Size of CM Clusters 457

Configuration Files in Clusters 457

Upgrading Clustered Machines 457

Summary 459

Chapter 14 Recommended Configuration 461

Best Practices 461

Redundancy and Capacity 461

Securing the Appliance 462

Security Filtering 464

HAT Policy Settings 464

Whitelisting and Blacklisting 466

Spam Quarantining 468

Deciding to Quarantine or Not 468

End-User Quarantine Access 469

Administrative-Only Quarantine Access 469

Automated Notifications 470

Being a Good Sender 471

Being Rate Limited 471

Outbound Sending Practices 472

Handling Bounces 473

Variable Envelope Return Path 474

DNS and Sender Authentication 475

Dealing with Blacklisting 475

Compromised Internal Sources 477

Bounce Verification 479

Recommendations for Specific Environments 482

Small and Medium Organizations 483

Large or Complex Organizations 483

Service Providers 484

Higher Education 485

Email “Front End” to Complex Internal Organizations 486

Summary 487

Chapter 15 Advanced Topics 489

Recent Developments 489

Authentication Standards 490

Path-Authentication Standards: SPF and SIDF 491

Determining the Identity of the Sender 493

Deploying SPF 494

SPF Challenges 495

Using SPF and SIDF Verification on ESA 496

Message Authentication: DKIM 498

Enabling DKIM Signing on ESA 498

The DKIM-Signature Header 499

DKIM Selectors and DNS 499

Other DKIM Signing Options 500

DKIM Signing Performance 501

DKIM Verification on ESA 501

DKIM Challenges 502

DKIM and SPF Recommendations 503

Regulatory Compliance 504

General Concepts 504

Personally Identifiable Information (PII) 504

Payment Card Data 505

Personal Financial Information 505

Mitigation 506

Data Loss Prevention (DLP) 506

Enabling Data Loss Prevention Policies 506

Adding a DLP Policy 507

Taking Action on Matching Messages 507

Classifiers and Entities 509

Custom Classifiers 509

Customizing Policies 512

Customizing Content Matching on Predefined Policies 512

Customizing User and Attachment Rules 513

Integration with Content Filters 514

Summary 515

TOC, 3/23/2012, 9781587142925